<!doctype html><html lang="en"><head>
    <meta charset="utf-8">
    <title>Mirai code re-use in Gafgyt</title>
    <link rel="shortcut icon" href="https://www.uptycs.com/hubfs/slack-emoji.png">
    <meta name="description" content="Using threat intelligence systems and an in-house osquery-based sandbox, Uptycs' threat research team recently discovered multiple variants of the Linux-based botnet malware family, Gafgyt.">
    
    
    <script src="/hs/hsstatic/jquery-libs/static-1.4/jquery/jquery-1.11.2.js"></script>
<script src="/hs/hsstatic/jquery-libs/static-1.4/jquery-migrate/jquery-migrate-1.2.1.js"></script>
<script>hsjQuery = window['jQuery'];</script>
    <meta property="og:description" content="Using threat intelligence systems and an in-house osquery-based sandbox, Uptycs' threat research team recently discovered multiple variants of the Linux-based botnet malware family, Gafgyt.">
    <meta property="og:title" content="Mirai code re-use in Gafgyt">
    <meta name="twitter:description" content="Using threat intelligence systems and an in-house osquery-based sandbox, Uptycs' threat research team recently discovered multiple variants of the Linux-based botnet malware family, Gafgyt.">
    <meta name="twitter:title" content="Mirai code re-use in Gafgyt">

    

    

    <style>
a.cta_button{-moz-box-sizing:content-box !important;-webkit-box-sizing:content-box !important;box-sizing:content-box !important;vertical-align:middle}.hs-breadcrumb-menu{list-style-type:none;margin:0px 0px 0px 0px;padding:0px 0px 0px 0px}.hs-breadcrumb-menu-item{float:left;padding:10px 0px 10px 10px}.hs-breadcrumb-menu-divider:before{content:'›';padding-left:10px}.hs-featured-image-link{border:0}.hs-featured-image{float:right;margin:0 0 20px 20px;max-width:50%}@media (max-width: 568px){.hs-featured-image{float:none;margin:0;width:100%;max-width:100%}}.hs-screen-reader-text{clip:rect(1px, 1px, 1px, 1px);height:1px;overflow:hidden;position:absolute !important;width:1px}
</style>

<link rel="stylesheet" href="https://www.uptycs.com/hs-fs/hub/2617658/hub_generated/template_assets/51822599820/1632234478733/uptycs-srw/css/styles.min.css">
<link rel="stylesheet" href="https://www.uptycs.com/hs-fs/hub/2617658/hub_generated/module_assets/1631654399582/module_51822599800_u4m-header.css">
<link rel="stylesheet" href="https://www.uptycs.com/hs-fs/hub/2617658/hub_generated/module_assets/51823447372/1631554158899/module_51823447372_u4m-blog-post-cards.min.css">
<link rel="stylesheet" href="https://www.uptycs.com/hs-fs/hub/2617658/hub_generated/module_assets/51822599816/1632234480422/module_51822599816_u4m-subscribe.min.css">
<link rel="stylesheet" href="https://www.uptycs.com/hs-fs/hub/2617658/hub_generated/module_assets/51823447380/1632234478743/module_51823447380_u4m-footer.min.css">

    


    

<meta name="viewport" content="width=device-width, initial-scale=1">
<!-- Google Tag Manager -->
<script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],
j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src=
'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);
})(window,document,'script','dataLayer','GTM-P663XDQ');</script>

<!-- End Google Tag Manager -->

<link rel="amphtml" href="https://www.uptycs.com/blog/mirai-code-re-use-in-gafgyt?hs_amp=true">

<meta property="og:image" content="https://www.uptycs.com/hubfs/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Figure%2011_%20Uptycs%20detection%20for%20Gafgyt%20I_.png#keepProtocol">
<meta property="og:image:width" content="2592">
<meta property="og:image:height" content="1455">

<meta name="twitter:image" content="https://www.uptycs.com/hubfs/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Figure%2011_%20Uptycs%20detection%20for%20Gafgyt%20I_.png#keepProtocol">


<meta property="og:url" content="https://www.uptycs.com/blog/mirai-code-re-use-in-gafgyt">
<meta name="twitter:card" content="summary_large_image">

<link rel="canonical" href="https://www.uptycs.com/blog/mirai-code-re-use-in-gafgyt">
<script type="text/javascript" src="//s7.addthis.com/js/300/addthis_widget.js#pubid=ra-5abce1b92ae0c302"></script>
<meta property="og:type" content="article">
<link rel="alternate" type="application/rss+xml" href="https://www.uptycs.com/blog/rss.xml">
<meta name="twitter:domain" content="www.uptycs.com">
<meta name="twitter:site" content="@uptycs">

<meta http-equiv="content-language" content="en">






    
<meta name="generator" content="HubSpot"></head>
<body class="  hs-content-id-45093176073 hs-blog-post hs-blog-id-5593128451 ">
    
    
        <div id="hs_cos_wrapper_u4m-header" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module">

<header class="u4m-header">
  <a class="skip-to-content-link" href="#main-content">Skip to content</a>
  <div class="ie11-banner"><div class="ie11-banner-inner"></div></div>
  <div class="inner">
    <div class="logo">
      <a href="/">
        <img loading="lazy" src="https://www.uptycs.com/hs-fs/hubfs/Uptycs%20Logo%20Navigation.png?width=360&amp;name=Uptycs%20Logo%20Navigation.png" width="360" alt="Uptycs Logo Navigation" srcset="https://www.uptycs.com/hs-fs/hubfs/Uptycs%20Logo%20Navigation.png?width=180&amp;name=Uptycs%20Logo%20Navigation.png 180w, https://www.uptycs.com/hs-fs/hubfs/Uptycs%20Logo%20Navigation.png?width=360&amp;name=Uptycs%20Logo%20Navigation.png 360w, https://www.uptycs.com/hs-fs/hubfs/Uptycs%20Logo%20Navigation.png?width=540&amp;name=Uptycs%20Logo%20Navigation.png 540w, https://www.uptycs.com/hs-fs/hubfs/Uptycs%20Logo%20Navigation.png?width=720&amp;name=Uptycs%20Logo%20Navigation.png 720w, https://www.uptycs.com/hs-fs/hubfs/Uptycs%20Logo%20Navigation.png?width=900&amp;name=Uptycs%20Logo%20Navigation.png 900w, https://www.uptycs.com/hs-fs/hubfs/Uptycs%20Logo%20Navigation.png?width=1080&amp;name=Uptycs%20Logo%20Navigation.png 1080w" sizes="(max-width: 360px) 100vw, 360px">
      </a>
    </div>
    <div class="menu"><span id="hs_cos_wrapper_u4m-header_" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_menu" style="" data-hs-cos-general-type="widget" data-hs-cos-type="menu"><div id="hs_menu_wrapper_u4m-header_" class="hs-menu-wrapper active-branch flyouts hs-menu-flow-horizontal" role="navigation" data-sitemap-name="default" data-menu-id="51884278609" aria-label="Navigation Menu">
 <ul role="menu" class="active-branch">
  <li class="hs-menu-item hs-menu-depth-1 hs-item-has-children" role="none"><a href="javascript:;" aria-haspopup="true" aria-expanded="false" role="menuitem"><span class="mega">Products</span></a>
   <ul role="menu" class="hs-menu-children-wrapper">
    <li class="hs-menu-item hs-menu-depth-2 hs-item-has-children" role="none"><a href="https://www.uptycs.com/cloud-security-solutions" role="menuitem">Platform</a>
     <ul role="menu" class="hs-menu-children-wrapper">
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/cloud-security-solutions" role="menuitem">The Uptycs Security Analytics Platform</a></li>
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/cloud-security-solutions#telemetry" role="menuitem">The Power of Structured Telemetry</a></li>
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/cloud-security-solutions#cloud-security" role="menuitem">Cloud-Native Security Analytics</a></li>
     </ul></li>
    <li class="hs-menu-item hs-menu-depth-2 hs-item-has-children" role="none"><a href="javascript:;" role="menuitem">Attack Surfaces</a>
     <ul role="menu" class="hs-menu-children-wrapper">
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/product/endpoint-security-service" role="menuitem">Endpoints &amp; Server Security</a></li>
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/product/container-security-solutions" role="menuitem">Containers &amp; Serverless Security</a></li>
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/product/cloud-security-services" role="menuitem">Cloud Security</a></li>
     </ul></li>
    <li class="hs-menu-item hs-menu-depth-2 hs-item-has-children" role="none"><a href="javascript:;" role="menuitem">Open Source</a>
     <ul role="menu" class="hs-menu-children-wrapper">
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/product/open-source-cloud-security-solutions" role="menuitem">Cloudquery</a></li>
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/product/kubernetes-security-tools" role="menuitem">Kubequery</a></li>
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/product/open-source-security-tools" role="menuitem">Osquery</a></li>
     </ul></li>
   </ul></li>
  <li class="hs-menu-item hs-menu-depth-1 hs-item-has-children" role="none"><a href="javascript:;" aria-haspopup="true" aria-expanded="false" role="menuitem"><span class="mega">Solutions</span></a>
   <ul role="menu" class="hs-menu-children-wrapper">
    <li class="hs-menu-item hs-menu-depth-2 hs-item-has-children" role="none"><a href="javascript:;" role="menuitem">Category</a>
     <ul role="menu" class="hs-menu-children-wrapper">
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/solutions/security-and-monitoring-for-cloud-workloads" role="menuitem">Cloud Workload Protection Platform (CWPP)</a></li>
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/solutions/cloud-security-posture-management" role="menuitem">Cloud Security Posture Management (CSPM)</a></li>
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/solutions/endpoint-detection-and-response" role="menuitem">eXtended Detection and Response (XDR)</a></li>
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/solutions/it-asset-inventory" role="menuitem">Insight &amp; Inventory</a></li>
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/solutions/it-security-compliance" role="menuitem">Audit, Compliance &amp; Governance</a></li>
     </ul></li>
    <li class="hs-menu-item hs-menu-depth-2 hs-item-has-children" role="none"><a href="javascript:;" role="menuitem">Audit &amp; Compliance Frameworks</a>
     <ul role="menu" class="hs-menu-children-wrapper">
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/solutions/fedramp-compliance" role="menuitem">FedRAMP</a></li>
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/solutions/soc-type-2-compliance" role="menuitem">SOC-2</a></li>
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/solutions/cis-compliance" role="menuitem">CIS</a></li>
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/solutions/pci-compliance" role="menuitem">PCI</a></li>
     </ul></li>
   </ul></li>
  <li class="hs-menu-item hs-menu-depth-1 hs-item-has-children active-branch" role="none"><a href="javascript:;" aria-haspopup="true" aria-expanded="false" role="menuitem"><span class="mega">Resources</span></a>
   <ul role="menu" class="hs-menu-children-wrapper active-branch">
    <li class="hs-menu-item hs-menu-depth-2 hs-item-has-children" role="none"><a href="https://www.uptycs.com/resources" role="menuitem">Resources by Topic</a>
     <ul role="menu" class="hs-menu-children-wrapper">
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/resources#product-information" role="menuitem">Product Information</a></li>
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/resources#open-source" role="menuitem">Open Source | Osquery</a></li>
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/resources#edr-xdr" role="menuitem">EDR/XDR</a></li>
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/resources#container-security" role="menuitem">Container Security</a></li>
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/resources#cloud-security" role="menuitem">Cloud Security</a></li>
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/resources#threat-research" role="menuitem">Threat Research</a></li>
     </ul></li>
    <li class="hs-menu-item hs-menu-depth-2 hs-item-has-children active-branch" role="none"><a href="javascript:;" role="menuitem">Additional Resources</a>
     <ul role="menu" class="hs-menu-children-wrapper active-branch">
      <li class="hs-menu-item hs-menu-depth-3 active active-branch" role="none"><a href="https://www.uptycs.com/blog" role="menuitem">Blog</a></li>
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/tools-and-integrations" role="menuitem">Tools and Integrations</a></li>
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/free-osquery-training-intro-to-osquery" role="menuitem">Osquery Tutorial</a></li>
     </ul></li>
   </ul></li>
  <li class="hs-menu-item hs-menu-depth-1 hs-item-has-children" role="none"><a href="javascript:;" aria-haspopup="true" aria-expanded="false" role="menuitem">Company</a>
   <ul role="menu" class="hs-menu-children-wrapper">
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="https://www.uptycs.com/about-us" role="menuitem">About Us</a></li>
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="https://www.uptycs.com/leadership" role="menuitem">Leadership</a></li>
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="https://www.uptycs.com/careers" role="menuitem">Careers</a></li>
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="https://www.uptycs.com/press-coverage" role="menuitem">Press &amp; News</a></li>
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="https://www.uptycs.com/contact-us" role="menuitem">Contact Us</a></li>
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="https://www.uptycs.com/security" role="menuitem">Security</a></li>
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="https://www.uptycs.com/privacy" role="menuitem">Privacy</a></li>
   </ul></li>
 </ul>
</div></span></div>
    <div class="search-toggle"><i class="fas fa-search search-toggle-button" aria-hidden="true"></i></div>
    <div class="cta"><span id="hs_cos_wrapper_u4m-header_" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_cta" style="" data-hs-cos-general-type="widget" data-hs-cos-type="cta"><!--HubSpot Call-to-Action Code --><span class="hs-cta-wrapper" id="hs-cta-wrapper-a7d11793-e0ce-4560-92cb-25a82ef6370a"><span class="hs-cta-node hs-cta-a7d11793-e0ce-4560-92cb-25a82ef6370a" id="hs-cta-a7d11793-e0ce-4560-92cb-25a82ef6370a"><!--[if lte IE 8]><div id="hs-cta-ie-element"></div><![endif]--><a href="https://cta-redirect.hubspot.com/cta/redirect/2617658/a7d11793-e0ce-4560-92cb-25a82ef6370a"><img class="hs-cta-img" id="hs-cta-img-a7d11793-e0ce-4560-92cb-25a82ef6370a" style="border-width:0px;" src="https://no-cache.hubspot.com/cta/default/2617658/a7d11793-e0ce-4560-92cb-25a82ef6370a.png" alt="Try it Free"></a></span><script charset="utf-8" src="/hs/cta/cta/current.js"></script><script type="text/javascript"> hbspt.cta._relativeUrls=true;hbspt.cta.load(2617658, 'a7d11793-e0ce-4560-92cb-25a82ef6370a', {"useNewLoader":"true","region":"na1"}); </script></span><!-- end HubSpot Call-to-Action Code --></span> <span id="hs_cos_wrapper_u4m-header_" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_cta" style="" data-hs-cos-general-type="widget" data-hs-cos-type="cta"><!--HubSpot Call-to-Action Code --><span class="hs-cta-wrapper" id="hs-cta-wrapper-4064fb31-4428-48ee-81ea-f67fbaf14ee6"><span class="hs-cta-node hs-cta-4064fb31-4428-48ee-81ea-f67fbaf14ee6" id="hs-cta-4064fb31-4428-48ee-81ea-f67fbaf14ee6"><!--[if lte IE 8]><div id="hs-cta-ie-element"></div><![endif]--><a href="https://cta-redirect.hubspot.com/cta/redirect/2617658/4064fb31-4428-48ee-81ea-f67fbaf14ee6"><img class="hs-cta-img" id="hs-cta-img-4064fb31-4428-48ee-81ea-f67fbaf14ee6" style="border-width:0px;" src="https://no-cache.hubspot.com/cta/default/2617658/4064fb31-4428-48ee-81ea-f67fbaf14ee6.png" alt="Request Your Demo"></a></span><script charset="utf-8" src="/hs/cta/cta/current.js"></script><script type="text/javascript"> hbspt.cta._relativeUrls=true;hbspt.cta.load(2617658, '4064fb31-4428-48ee-81ea-f67fbaf14ee6', {"useNewLoader":"true","region":"na1"}); </script></span><!-- end HubSpot Call-to-Action Code --></span></div>
    <button class="hamburger-toggle x2"><span class="lines"></span></button>
    <div class="offscreen-menu">
      <div class="content">
        <div class="mobile-search">
            <div class="hs-search-field"> 
              <div class="hs-search-field__bar"> 
                <form action="/hs-search-results">
                  <input type="text" class="hs-search-field__input search-input" name="term" autocomplete="off" aria-label="Search" placeholder="Search">
                  
                  <input type="hidden" name="type" value="SITE_PAGE">
                  <input type="hidden" name="type" value="LANDING_PAGE">
                  <input type="hidden" name="type" value="BLOG_POST">
                  <input type="hidden" name="type" value="LISTING_PAGE">
                  <input type="hidden" name="type" value="KNOWLEDGE_ARTICLE">     

                  
                      

                  
                  

                  
                  <button aria-label="Search" class="search-button"><i class="fas fa-search" aria-hidden="true"></i></button>
                </form>
              </div>
              <ul class="hs-search-field__suggestions"></ul>
            </div>
        </div>   
              
        <div class="mobile-menu"><span id="hs_cos_wrapper_u4m-header_" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_menu" style="" data-hs-cos-general-type="widget" data-hs-cos-type="menu"><div id="hs_menu_wrapper_u4m-header_" class="hs-menu-wrapper active-branch no-flyouts hs-menu-flow-vertical" role="navigation" data-sitemap-name="default" data-menu-id="51884278609" aria-label="Navigation Menu">
 <ul role="menu" class="active-branch">
  <li class="hs-menu-item hs-menu-depth-1 hs-item-has-children" role="none"><a href="javascript:;" aria-haspopup="true" aria-expanded="false" role="menuitem"><span class="mega">Products</span></a>
   <ul role="menu" class="hs-menu-children-wrapper">
    <li class="hs-menu-item hs-menu-depth-2 hs-item-has-children" role="none"><a href="https://www.uptycs.com/cloud-security-solutions" role="menuitem">Platform</a>
     <ul role="menu" class="hs-menu-children-wrapper">
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/cloud-security-solutions" role="menuitem">The Uptycs Security Analytics Platform</a></li>
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/cloud-security-solutions#telemetry" role="menuitem">The Power of Structured Telemetry</a></li>
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/cloud-security-solutions#cloud-security" role="menuitem">Cloud-Native Security Analytics</a></li>
     </ul></li>
    <li class="hs-menu-item hs-menu-depth-2 hs-item-has-children" role="none"><a href="javascript:;" role="menuitem">Attack Surfaces</a>
     <ul role="menu" class="hs-menu-children-wrapper">
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/product/endpoint-security-service" role="menuitem">Endpoints &amp; Server Security</a></li>
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/product/container-security-solutions" role="menuitem">Containers &amp; Serverless Security</a></li>
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/product/cloud-security-services" role="menuitem">Cloud Security</a></li>
     </ul></li>
    <li class="hs-menu-item hs-menu-depth-2 hs-item-has-children" role="none"><a href="javascript:;" role="menuitem">Open Source</a>
     <ul role="menu" class="hs-menu-children-wrapper">
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/product/open-source-cloud-security-solutions" role="menuitem">Cloudquery</a></li>
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/product/kubernetes-security-tools" role="menuitem">Kubequery</a></li>
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/product/open-source-security-tools" role="menuitem">Osquery</a></li>
     </ul></li>
   </ul></li>
  <li class="hs-menu-item hs-menu-depth-1 hs-item-has-children" role="none"><a href="javascript:;" aria-haspopup="true" aria-expanded="false" role="menuitem"><span class="mega">Solutions</span></a>
   <ul role="menu" class="hs-menu-children-wrapper">
    <li class="hs-menu-item hs-menu-depth-2 hs-item-has-children" role="none"><a href="javascript:;" role="menuitem">Category</a>
     <ul role="menu" class="hs-menu-children-wrapper">
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/solutions/security-and-monitoring-for-cloud-workloads" role="menuitem">Cloud Workload Protection Platform (CWPP)</a></li>
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/solutions/cloud-security-posture-management" role="menuitem">Cloud Security Posture Management (CSPM)</a></li>
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/solutions/endpoint-detection-and-response" role="menuitem">eXtended Detection and Response (XDR)</a></li>
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/solutions/it-asset-inventory" role="menuitem">Insight &amp; Inventory</a></li>
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/solutions/it-security-compliance" role="menuitem">Audit, Compliance &amp; Governance</a></li>
     </ul></li>
    <li class="hs-menu-item hs-menu-depth-2 hs-item-has-children" role="none"><a href="javascript:;" role="menuitem">Audit &amp; Compliance Frameworks</a>
     <ul role="menu" class="hs-menu-children-wrapper">
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/solutions/fedramp-compliance" role="menuitem">FedRAMP</a></li>
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/solutions/soc-type-2-compliance" role="menuitem">SOC-2</a></li>
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/solutions/cis-compliance" role="menuitem">CIS</a></li>
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/solutions/pci-compliance" role="menuitem">PCI</a></li>
     </ul></li>
   </ul></li>
  <li class="hs-menu-item hs-menu-depth-1 hs-item-has-children active-branch" role="none"><a href="javascript:;" aria-haspopup="true" aria-expanded="false" role="menuitem"><span class="mega">Resources</span></a>
   <ul role="menu" class="hs-menu-children-wrapper active-branch">
    <li class="hs-menu-item hs-menu-depth-2 hs-item-has-children" role="none"><a href="https://www.uptycs.com/resources" role="menuitem">Resources by Topic</a>
     <ul role="menu" class="hs-menu-children-wrapper">
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/resources#product-information" role="menuitem">Product Information</a></li>
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/resources#open-source" role="menuitem">Open Source | Osquery</a></li>
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/resources#edr-xdr" role="menuitem">EDR/XDR</a></li>
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/resources#container-security" role="menuitem">Container Security</a></li>
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/resources#cloud-security" role="menuitem">Cloud Security</a></li>
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/resources#threat-research" role="menuitem">Threat Research</a></li>
     </ul></li>
    <li class="hs-menu-item hs-menu-depth-2 hs-item-has-children active-branch" role="none"><a href="javascript:;" role="menuitem">Additional Resources</a>
     <ul role="menu" class="hs-menu-children-wrapper active-branch">
      <li class="hs-menu-item hs-menu-depth-3 active active-branch" role="none"><a href="https://www.uptycs.com/blog" role="menuitem">Blog</a></li>
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/tools-and-integrations" role="menuitem">Tools and Integrations</a></li>
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/free-osquery-training-intro-to-osquery" role="menuitem">Osquery Tutorial</a></li>
     </ul></li>
   </ul></li>
  <li class="hs-menu-item hs-menu-depth-1 hs-item-has-children" role="none"><a href="javascript:;" aria-haspopup="true" aria-expanded="false" role="menuitem">Company</a>
   <ul role="menu" class="hs-menu-children-wrapper">
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="https://www.uptycs.com/about-us" role="menuitem">About Us</a></li>
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="https://www.uptycs.com/leadership" role="menuitem">Leadership</a></li>
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="https://www.uptycs.com/careers" role="menuitem">Careers</a></li>
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="https://www.uptycs.com/press-coverage" role="menuitem">Press &amp; News</a></li>
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="https://www.uptycs.com/contact-us" role="menuitem">Contact Us</a></li>
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="https://www.uptycs.com/security" role="menuitem">Security</a></li>
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="https://www.uptycs.com/privacy" role="menuitem">Privacy</a></li>
   </ul></li>
 </ul>
</div></span></div>
        <div class="mobile-cta"><span id="hs_cos_wrapper_u4m-header_" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_cta" style="" data-hs-cos-general-type="widget" data-hs-cos-type="cta"><!--HubSpot Call-to-Action Code --><span class="hs-cta-wrapper" id="hs-cta-wrapper-4064fb31-4428-48ee-81ea-f67fbaf14ee6"><span class="hs-cta-node hs-cta-4064fb31-4428-48ee-81ea-f67fbaf14ee6" id="hs-cta-4064fb31-4428-48ee-81ea-f67fbaf14ee6"><!--[if lte IE 8]><div id="hs-cta-ie-element"></div><![endif]--><a href="https://cta-redirect.hubspot.com/cta/redirect/2617658/4064fb31-4428-48ee-81ea-f67fbaf14ee6"><img class="hs-cta-img" id="hs-cta-img-4064fb31-4428-48ee-81ea-f67fbaf14ee6" style="border-width:0px;" src="https://no-cache.hubspot.com/cta/default/2617658/4064fb31-4428-48ee-81ea-f67fbaf14ee6.png" alt="Request Your Demo"></a></span><script charset="utf-8" src="/hs/cta/cta/current.js"></script><script type="text/javascript"> hbspt.cta._relativeUrls=true;hbspt.cta.load(2617658, '4064fb31-4428-48ee-81ea-f67fbaf14ee6', {"useNewLoader":"true","region":"na1"}); </script></span><!-- end HubSpot Call-to-Action Code --></span></div>
      </div>
    </div>  
  </div>
  <div class="search-overlay">
    <div class="hs-search-field"> 
      <div class="hs-search-field__bar"> 
        <form action="/hs-search-results">
          <input type="text" class="hs-search-field__input search-input" name="term" autocomplete="off" aria-label="Search" placeholder="Search">
          
          
          <input type="hidden" name="type" value="SITE_PAGE">
          <input type="hidden" name="type" value="LANDING_PAGE">
          <input type="hidden" name="type" value="BLOG_POST">
          <input type="hidden" name="type" value="LISTING_PAGE">
          <input type="hidden" name="type" value="KNOWLEDGE_ARTICLE">     
          
          
              
          
          
          
          
          <button aria-label="Search" class="search-button"><i class="fas fa-search" aria-hidden="true"></i></button>          
          <span class="search-overlay-close" aria-label="Close"><i class="fas fa-times" aria-hidden="true"></i></span>
        </form>
      </div>
      <ul class="hs-search-field__suggestions"></ul>
    </div>
  </div>

      
</header></div>
    

    
<main id="main-content" class="body-container-wrapper">

  
  <section class="u4m-blog-post">
    <!-- Blog Post Hero -->
    <div class="hero">
      <div class="share" id="share">
        <a href="https://twitter.com/intent/tweet?original_referer=https://www.uptycs.com/blog/mirai-code-re-use-in-gafgyt&amp;url=https://www.uptycs.com/blog/mirai-code-re-use-in-gafgyt&amp;source=tweetbutton" target="_blank" aria-label="Twitter"><span class="fab fa-twitter" aria-hidden="true"></span></a>
        <a href="http://www.linkedin.com/shareArticle?mini=true&amp;url=https://www.uptycs.com/blog/mirai-code-re-use-in-gafgyt" target="_blank" aria-label="LinkedIn"><span class="fab fa-linkedin" aria-hidden="true"></span></a>
        <a href="http://www.facebook.com/share.php?u=https://www.uptycs.com/blog/mirai-code-re-use-in-gafgyt" target="_blank" aria-label="Facebook"><span class="fab fa-facebook" aria-hidden="true"></span></a>
        <a href="mailto:?subject=Check%20out%20https://www.uptycs.com/blog/mirai-code-re-use-in-gafgyt" aria-label="email"><span class="fa fa-envelope" aria-hidden="true"></span></a>
      </div>
      <div class="content">
        <span class="date">April 15, 2021</span>
        <h1 class="title"><span id="hs_cos_wrapper_name" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="text">Mirai code re-use in Gafgyt</span></h1>
        <div class="author-wrap">
          <div class="avatar lazy" data-bg="https://f.hubspotusercontent00.net/hub/2617658/hubfs/Siddarth%20Sharma%20Uptycs%20Threat%20Team.jpeg?length=100&amp;name=Siddarth%20Sharma%20Uptycs%20Threat%20Team.jpeg"></div>
          <div class="author-link">Written by: <a href="https://www.uptycs.com/blog/author/siddharth-sharma">Siddharth Sharma</a></div>        
        </div>
      </div>
    </div>
    <!-- End Blog Post Hero -->
  
    <!-- Blog Post Body -->
    <div class="body" id="body">
      <div class="content"><span id="hs_cos_wrapper_post_body" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_rich_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="rich_text"><p>Research by <a href="/blog/author/siddharth-sharma" rel="noopener" target="_blank">Siddharth Sharma</a></p>
<p>Uptycs' threat research team recently detected several variants of the Linux-based botnet malware family, “<strong>Gafgyt</strong>”, via threat intelligence systems and our in-house osquery-based sandbox. Upon analysis, we identified several codes, techniques and implementations of Gafgyt, re-used from the infamous <a href="https://github.com/jgamblin/Mirai-Source-Code" rel="noopener" target="_blank"><span>Mirai botnet</span></a>.&nbsp;</p>
<!--more-->
<p>In this blog, we’ll take a look at some of the re-used Mirai modules, their functionality, and the Uptycs EDR detection capabilities of Gafgyt.</p>
<h2>Gafgyt</h2>
<p><a href="https://en.wikipedia.org/wiki/BASHLITE" rel="noopener" target="_blank"><span>Gafgyt</span></a> (also known as Bashlite) is a prominent malware family for *nix systems, which mainly target vulnerable IoT devices like Huawei routers, Realtek routers and ASUS devices. Gafgyt also uses some of the existing exploits (CVE-2017-17215, CVE-2018-10561) to download the next stage payloads, which we will discuss further on.</p>
<p>Gafgyt malware variants have very similar functionality to Mirai, as a majority of the code was copied.&nbsp;</p>
<h2>Technical Analysis: Gafgyt; Re-used Mirai modules&nbsp;</h2>
<p>During our analysis of Gafgyt, we identified several recent variants that have re-used some code modules from the Mirai source code. The modules are:&nbsp;</p>
<ol>
<li><em>HTTP flooding</em></li>
<li><em>UDP flooding</em></li>
<li><em>TCP flooding</em></li>
<li><em>STD module</em></li>
<li><em>Telnet Bruteforce</em></li>
</ol>
We will provide details of these modules and their functionality, but for the purpose of this blog we are using the hashes (<strong>da20bf020c083eb080bf75879c84f8885b11b6d3d67aa35e345ce1a3ee762444</strong> and <strong>1b3bb39a3d1eea8923ceb86528c8c38ecf9398da1bdf8b154e6b4d0d8798be49</strong>) and the Mirai leaked source code.&nbsp;<br>
<h3>HTTP flooding module</h3>
<p>HTTP flooding is a kind of DDoS attack in which the attacker sends a large number of HTTP requests to the targeted server to overwhelm it. The creators of Gafgyt have re-used this code from the leaked Mirai source code.&nbsp;</p>
<p>The below figure (Figure 1) shows the comparison of the Gafgyt and Mirai HTTP flooding module.&nbsp;</p>
<p><img src="https://www.uptycs.com/hs-fs/hubfs/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Fig%201_%20HTTP%20flooder%20module_.png?width=602&amp;name=Fig%201_%20HTTP%20flooder%20module_.png" alt="HTTP flooder module." width="602" loading="lazy" style="width: 602px;" srcset="https://www.uptycs.com/hs-fs/hubfs/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Fig%201_%20HTTP%20flooder%20module_.png?width=301&amp;name=Fig%201_%20HTTP%20flooder%20module_.png 301w, https://www.uptycs.com/hs-fs/hubfs/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Fig%201_%20HTTP%20flooder%20module_.png?width=602&amp;name=Fig%201_%20HTTP%20flooder%20module_.png 602w, https://www.uptycs.com/hs-fs/hubfs/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Fig%201_%20HTTP%20flooder%20module_.png?width=903&amp;name=Fig%201_%20HTTP%20flooder%20module_.png 903w, https://www.uptycs.com/hs-fs/hubfs/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Fig%201_%20HTTP%20flooder%20module_.png?width=1204&amp;name=Fig%201_%20HTTP%20flooder%20module_.png 1204w, https://www.uptycs.com/hs-fs/hubfs/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Fig%201_%20HTTP%20flooder%20module_.png?width=1505&amp;name=Fig%201_%20HTTP%20flooder%20module_.png 1505w, https://www.uptycs.com/hs-fs/hubfs/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Fig%201_%20HTTP%20flooder%20module_.png?width=1806&amp;name=Fig%201_%20HTTP%20flooder%20module_.png 1806w" sizes="(max-width: 602px) 100vw, 602px"></p>
<p><em>Figure 1: HTTP flooder module. (<a href="https://f.hubspotusercontent00.net/hubfs/2617658/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Fig%201_%20HTTP%20flooder%20module_.png" rel="noopener" target="_blank">Click to see larger version</a></em><a href="https://f.hubspotusercontent00.net/hubfs/2617658/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Fig%201_%20HTTP%20flooder%20module_.png" rel="noopener" target="_blank">.</a><a href="https://f.hubspotusercontent00.net/hubfs/2617658/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Fig%201_%20HTTP%20flooder%20module_.png" rel="noopener" target="_blank"><span style="color: #000000;">)</span></a></p>
<p>In the above image, the left is the Gafgyt decompiled code, which matches the Mirai source code on the right.</p>
<h3>UDP flood module</h3>
<p>UDP flooding is a type of DDoS attack in which an attacker sends several UDP packets to the victim server as a means of exhausting it. Gafgyt contained this same functionality of UDP flooding, copied from the leaked Mirai source code (see Figure 2).</p>
<p><img src="https://www.uptycs.com/hs-fs/hubfs/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Fig%202_%20UDP%20flooder%20module_.png?width=680&amp;name=Fig%202_%20UDP%20flooder%20module_.png" alt="Fig 2_ UDP flooder module_" width="680" loading="lazy" style="width: 680px; margin-left: auto; margin-right: auto; display: block;" srcset="https://www.uptycs.com/hs-fs/hubfs/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Fig%202_%20UDP%20flooder%20module_.png?width=340&amp;name=Fig%202_%20UDP%20flooder%20module_.png 340w, https://www.uptycs.com/hs-fs/hubfs/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Fig%202_%20UDP%20flooder%20module_.png?width=680&amp;name=Fig%202_%20UDP%20flooder%20module_.png 680w, https://www.uptycs.com/hs-fs/hubfs/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Fig%202_%20UDP%20flooder%20module_.png?width=1020&amp;name=Fig%202_%20UDP%20flooder%20module_.png 1020w, https://www.uptycs.com/hs-fs/hubfs/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Fig%202_%20UDP%20flooder%20module_.png?width=1360&amp;name=Fig%202_%20UDP%20flooder%20module_.png 1360w, https://www.uptycs.com/hs-fs/hubfs/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Fig%202_%20UDP%20flooder%20module_.png?width=1700&amp;name=Fig%202_%20UDP%20flooder%20module_.png 1700w, https://www.uptycs.com/hs-fs/hubfs/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Fig%202_%20UDP%20flooder%20module_.png?width=2040&amp;name=Fig%202_%20UDP%20flooder%20module_.png 2040w" sizes="(max-width: 680px) 100vw, 680px"></p>
<p><em>Figure 2: UDP flooder module. (<a href="https://f.hubspotusercontent00.net/hubfs/2617658/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Fig%202_%20UDP%20flooder%20module_.png" rel="noopener" target="_blank">Click to see larger version</a>.)</em></p>
<h3>TCP flood module</h3>
<p>Gafgyt performs all types of TCP flood attacks like SYN, PSH, FIN, etc. In this type of attack, the attacker exploits a normal three-way TCP handshake the victim server receives a heavy number of requests, resulting in the server becoming unresponsive.&nbsp;</p>
<p>The below image shows the TCP flooder module of Gafgyt, which contained the similar code from Mirai (see Figure 3).</p>
<p><img src="https://www.uptycs.com/hs-fs/hubfs/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Figure%203_%20TCP%20flooder%20module_.png?width=602&amp;name=Figure%203_%20TCP%20flooder%20module_.png" alt="TCP flooder module." width="602" loading="lazy" style="width: 602px; margin-left: auto; margin-right: auto; display: block;" srcset="https://www.uptycs.com/hs-fs/hubfs/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Figure%203_%20TCP%20flooder%20module_.png?width=301&amp;name=Figure%203_%20TCP%20flooder%20module_.png 301w, https://www.uptycs.com/hs-fs/hubfs/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Figure%203_%20TCP%20flooder%20module_.png?width=602&amp;name=Figure%203_%20TCP%20flooder%20module_.png 602w, https://www.uptycs.com/hs-fs/hubfs/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Figure%203_%20TCP%20flooder%20module_.png?width=903&amp;name=Figure%203_%20TCP%20flooder%20module_.png 903w, https://www.uptycs.com/hs-fs/hubfs/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Figure%203_%20TCP%20flooder%20module_.png?width=1204&amp;name=Figure%203_%20TCP%20flooder%20module_.png 1204w, https://www.uptycs.com/hs-fs/hubfs/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Figure%203_%20TCP%20flooder%20module_.png?width=1505&amp;name=Figure%203_%20TCP%20flooder%20module_.png 1505w, https://www.uptycs.com/hs-fs/hubfs/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Figure%203_%20TCP%20flooder%20module_.png?width=1806&amp;name=Figure%203_%20TCP%20flooder%20module_.png 1806w" sizes="(max-width: 602px) 100vw, 602px"></p>
<p>Figure 3: TCP flooder module. (<a href="https://f.hubspotusercontent00.net/hubfs/2617658/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Figure%203_%20TCP%20flooder%20module_.png" rel="noopener" target="_blank">Click to see larger version</a>.)</p>
<h3>STD module</h3>
<p>Gafgyt contains an STD module which sends a random string (from a hardcoded array of strings) to a particular IP address. This functionality has also been used by Mirai (see Figure 4).</p>
<p><img src="https://www.uptycs.com/hs-fs/hubfs/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Figure%204_%C2%A0%20STD%20module_.png?width=602&amp;name=Figure%204_%C2%A0%20STD%20module_.png" alt="STD module." width="602" loading="lazy" style="width: 602px; margin-left: auto; margin-right: auto; display: block;" srcset="https://www.uptycs.com/hs-fs/hubfs/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Figure%204_%C2%A0%20STD%20module_.png?width=301&amp;name=Figure%204_%C2%A0%20STD%20module_.png 301w, https://www.uptycs.com/hs-fs/hubfs/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Figure%204_%C2%A0%20STD%20module_.png?width=602&amp;name=Figure%204_%C2%A0%20STD%20module_.png 602w, https://www.uptycs.com/hs-fs/hubfs/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Figure%204_%C2%A0%20STD%20module_.png?width=903&amp;name=Figure%204_%C2%A0%20STD%20module_.png 903w, https://www.uptycs.com/hs-fs/hubfs/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Figure%204_%C2%A0%20STD%20module_.png?width=1204&amp;name=Figure%204_%C2%A0%20STD%20module_.png 1204w, https://www.uptycs.com/hs-fs/hubfs/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Figure%204_%C2%A0%20STD%20module_.png?width=1505&amp;name=Figure%204_%C2%A0%20STD%20module_.png 1505w, https://www.uptycs.com/hs-fs/hubfs/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Figure%204_%C2%A0%20STD%20module_.png?width=1806&amp;name=Figure%204_%C2%A0%20STD%20module_.png 1806w" sizes="(max-width: 602px) 100vw, 602px"></p>
<p>Figure 4:&nbsp; STD module. (<a href="https://f.hubspotusercontent00.net/hubfs/2617658/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Figure%204_%C2%A0%20STD%20module_.png" rel="noopener" target="_blank">Click to see larger version</a>.)</p>
<h3>Brute force module</h3>
<p>Not only flooding modules are being used. Recent Gafgyt also contained other modules with little tweaks, like a <strong>telnet bruteforce scanner</strong> (see Figure 5).</p>
<p><img src="https://www.uptycs.com/hs-fs/hubfs/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Figure%205_%20Telnet%20bruteforce%20module_.png?width=602&amp;name=Figure%205_%20Telnet%20bruteforce%20module_.png" alt="Telnet bruteforce module." width="602" loading="lazy" style="width: 602px; margin-left: auto; margin-right: auto; display: block;" srcset="https://www.uptycs.com/hs-fs/hubfs/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Figure%205_%20Telnet%20bruteforce%20module_.png?width=301&amp;name=Figure%205_%20Telnet%20bruteforce%20module_.png 301w, https://www.uptycs.com/hs-fs/hubfs/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Figure%205_%20Telnet%20bruteforce%20module_.png?width=602&amp;name=Figure%205_%20Telnet%20bruteforce%20module_.png 602w, https://www.uptycs.com/hs-fs/hubfs/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Figure%205_%20Telnet%20bruteforce%20module_.png?width=903&amp;name=Figure%205_%20Telnet%20bruteforce%20module_.png 903w, https://www.uptycs.com/hs-fs/hubfs/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Figure%205_%20Telnet%20bruteforce%20module_.png?width=1204&amp;name=Figure%205_%20Telnet%20bruteforce%20module_.png 1204w, https://www.uptycs.com/hs-fs/hubfs/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Figure%205_%20Telnet%20bruteforce%20module_.png?width=1505&amp;name=Figure%205_%20Telnet%20bruteforce%20module_.png 1505w, https://www.uptycs.com/hs-fs/hubfs/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Figure%205_%20Telnet%20bruteforce%20module_.png?width=1806&amp;name=Figure%205_%20Telnet%20bruteforce%20module_.png 1806w" sizes="(max-width: 602px) 100vw, 602px"></p>
<p>Figure 5: Telnet bruteforce module. (<a href="https://f.hubspotusercontent00.net/hubfs/2617658/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Figure%205_%20Telnet%20bruteforce%20module_.png" rel="noopener" target="_blank">Click to see larger version</a>.)</p>
<h2>CVEs used by Gafgyt</h2>
<p>Gafgyt uses existing vulnerabilities in IoT devices to turn them into bots and later perform DDoS attacks on specifically targeted IP addresses. Some of the recent Gafgyt variants (e.g., <strong>7fe8e2efba37466b5c8cd28ae6af2504484e1925187edffbcc63a60d2e4e1bd8 </strong>and <strong>25461130a268f3728a0465722135e78fd00369f4bccdede4dd61e0c374d88eb8</strong>) also contained multiple exploits, like the RCE exploit in Huawei Routers and the authentication bypass exploit in GPON Home Routers (see Figure 6, 7, 8).</p>
<p><img src="https://www.uptycs.com/hs-fs/hubfs/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Figure%206_%20Huawei%20Exploit%20inside%20binary%20(CVE-2017-17215)_.png?width=602&amp;name=Figure%206_%20Huawei%20Exploit%20inside%20binary%20(CVE-2017-17215)_.png" alt="Huawei Exploit inside binary (CVE-2017-17215)." width="602" loading="lazy" style="width: 602px; margin-left: auto; margin-right: auto; display: block;" srcset="https://www.uptycs.com/hs-fs/hubfs/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Figure%206_%20Huawei%20Exploit%20inside%20binary%20(CVE-2017-17215)_.png?width=301&amp;name=Figure%206_%20Huawei%20Exploit%20inside%20binary%20(CVE-2017-17215)_.png 301w, https://www.uptycs.com/hs-fs/hubfs/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Figure%206_%20Huawei%20Exploit%20inside%20binary%20(CVE-2017-17215)_.png?width=602&amp;name=Figure%206_%20Huawei%20Exploit%20inside%20binary%20(CVE-2017-17215)_.png 602w, https://www.uptycs.com/hs-fs/hubfs/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Figure%206_%20Huawei%20Exploit%20inside%20binary%20(CVE-2017-17215)_.png?width=903&amp;name=Figure%206_%20Huawei%20Exploit%20inside%20binary%20(CVE-2017-17215)_.png 903w, https://www.uptycs.com/hs-fs/hubfs/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Figure%206_%20Huawei%20Exploit%20inside%20binary%20(CVE-2017-17215)_.png?width=1204&amp;name=Figure%206_%20Huawei%20Exploit%20inside%20binary%20(CVE-2017-17215)_.png 1204w, https://www.uptycs.com/hs-fs/hubfs/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Figure%206_%20Huawei%20Exploit%20inside%20binary%20(CVE-2017-17215)_.png?width=1505&amp;name=Figure%206_%20Huawei%20Exploit%20inside%20binary%20(CVE-2017-17215)_.png 1505w, https://www.uptycs.com/hs-fs/hubfs/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Figure%206_%20Huawei%20Exploit%20inside%20binary%20(CVE-2017-17215)_.png?width=1806&amp;name=Figure%206_%20Huawei%20Exploit%20inside%20binary%20(CVE-2017-17215)_.png 1806w" sizes="(max-width: 602px) 100vw, 602px"></p>
<p>Figure 6: Huawei Exploit inside binary (CVE-2017-17215). (<a href="https://f.hubspotusercontent00.net/hubfs/2617658/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Figure%206_%20Huawei%20Exploit%20inside%20binary%20(CVE-2017-17215)_.png" rel="noopener" target="_blank">Click to see larger version</a>.)</p>
<p><img src="https://www.uptycs.com/hs-fs/hubfs/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Figure%207_%20Realtek%20Exploit%20inside%20binary%20(CVE-2014-8361)_.png?width=602&amp;name=Figure%207_%20Realtek%20Exploit%20inside%20binary%20(CVE-2014-8361)_.png" alt="Realtek Exploit inside binary (CVE-2014-8361)." width="602" loading="lazy" style="width: 602px; margin-left: auto; margin-right: auto; display: block;" srcset="https://www.uptycs.com/hs-fs/hubfs/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Figure%207_%20Realtek%20Exploit%20inside%20binary%20(CVE-2014-8361)_.png?width=301&amp;name=Figure%207_%20Realtek%20Exploit%20inside%20binary%20(CVE-2014-8361)_.png 301w, https://www.uptycs.com/hs-fs/hubfs/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Figure%207_%20Realtek%20Exploit%20inside%20binary%20(CVE-2014-8361)_.png?width=602&amp;name=Figure%207_%20Realtek%20Exploit%20inside%20binary%20(CVE-2014-8361)_.png 602w, https://www.uptycs.com/hs-fs/hubfs/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Figure%207_%20Realtek%20Exploit%20inside%20binary%20(CVE-2014-8361)_.png?width=903&amp;name=Figure%207_%20Realtek%20Exploit%20inside%20binary%20(CVE-2014-8361)_.png 903w, https://www.uptycs.com/hs-fs/hubfs/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Figure%207_%20Realtek%20Exploit%20inside%20binary%20(CVE-2014-8361)_.png?width=1204&amp;name=Figure%207_%20Realtek%20Exploit%20inside%20binary%20(CVE-2014-8361)_.png 1204w, https://www.uptycs.com/hs-fs/hubfs/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Figure%207_%20Realtek%20Exploit%20inside%20binary%20(CVE-2014-8361)_.png?width=1505&amp;name=Figure%207_%20Realtek%20Exploit%20inside%20binary%20(CVE-2014-8361)_.png 1505w, https://www.uptycs.com/hs-fs/hubfs/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Figure%207_%20Realtek%20Exploit%20inside%20binary%20(CVE-2014-8361)_.png?width=1806&amp;name=Figure%207_%20Realtek%20Exploit%20inside%20binary%20(CVE-2014-8361)_.png 1806w" sizes="(max-width: 602px) 100vw, 602px">&nbsp;</p>
<p>Figure 7: Realtek Exploit inside binary (CVE-2014-8361). (<a href="https://f.hubspotusercontent00.net/hubfs/2617658/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Figure%207_%20Realtek%20Exploit%20inside%20binary%20(CVE-2014-8361)_.png" rel="noopener" target="_blank">Click to see larger version</a>.)</p>
<p>In Figures 6 and 7, you can see the Gafgyt malware binary embeds Remote Code Execution exploits for Huawei and Realtek routers, by which the malware binary:</p>
<ol>
<li>using <strong>wget</strong> command, fetches the payload.</li>
<li>gives the execution permission to payload using <strong>chmod</strong> command.</li>
<li><strong>executes</strong> the payload.</li>
</ol>
<p><img src="https://www.uptycs.com/hs-fs/hubfs/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Figure%208_%20GPON%20Router%20Exploit%20inside%20binary%20(CVE-2018-10561)_.png?width=602&amp;name=Figure%208_%20GPON%20Router%20Exploit%20inside%20binary%20(CVE-2018-10561)_.png" alt="GPON Router Exploit inside binary (CVE-2018-10561)." width="602" loading="lazy" style="width: 602px; margin-left: auto; margin-right: auto; display: block;" srcset="https://www.uptycs.com/hs-fs/hubfs/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Figure%208_%20GPON%20Router%20Exploit%20inside%20binary%20(CVE-2018-10561)_.png?width=301&amp;name=Figure%208_%20GPON%20Router%20Exploit%20inside%20binary%20(CVE-2018-10561)_.png 301w, https://www.uptycs.com/hs-fs/hubfs/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Figure%208_%20GPON%20Router%20Exploit%20inside%20binary%20(CVE-2018-10561)_.png?width=602&amp;name=Figure%208_%20GPON%20Router%20Exploit%20inside%20binary%20(CVE-2018-10561)_.png 602w, https://www.uptycs.com/hs-fs/hubfs/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Figure%208_%20GPON%20Router%20Exploit%20inside%20binary%20(CVE-2018-10561)_.png?width=903&amp;name=Figure%208_%20GPON%20Router%20Exploit%20inside%20binary%20(CVE-2018-10561)_.png 903w, https://www.uptycs.com/hs-fs/hubfs/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Figure%208_%20GPON%20Router%20Exploit%20inside%20binary%20(CVE-2018-10561)_.png?width=1204&amp;name=Figure%208_%20GPON%20Router%20Exploit%20inside%20binary%20(CVE-2018-10561)_.png 1204w, https://www.uptycs.com/hs-fs/hubfs/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Figure%208_%20GPON%20Router%20Exploit%20inside%20binary%20(CVE-2018-10561)_.png?width=1505&amp;name=Figure%208_%20GPON%20Router%20Exploit%20inside%20binary%20(CVE-2018-10561)_.png 1505w, https://www.uptycs.com/hs-fs/hubfs/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Figure%208_%20GPON%20Router%20Exploit%20inside%20binary%20(CVE-2018-10561)_.png?width=1806&amp;name=Figure%208_%20GPON%20Router%20Exploit%20inside%20binary%20(CVE-2018-10561)_.png 1806w" sizes="(max-width: 602px) 100vw, 602px"></p>
<p>Figure 8: GPON Router Exploit inside binary (CVE-2018-10561). (<a href="https://f.hubspotusercontent00.net/hubfs/2617658/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Figure%208_%20GPON%20Router%20Exploit%20inside%20binary%20(CVE-2018-10561)_.png" rel="noopener" target="_blank">Click to see larger version</a>.)</p>
<p>In the same way, the Gafgyt malware binary uses <a href="https://nvd.nist.gov/vuln/detail/CVE-2018-10561" rel="noopener" target="_blank"><span>CVE-2018-10561</span></a> for authentication bypass in vulnerable GPON routers; the malware binary fetches a malicious script using <strong>wget</strong> command and then executes the <strong>script</strong> from <strong>/tmp</strong> location (<strong>bins.sh </strong>in Figure 8).&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</p>
<p><img src="https://www.uptycs.com/hs-fs/hubfs/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Figure%209_%20Downloaded%20malicious%20script_.png?width=602&amp;name=Figure%209_%20Downloaded%20malicious%20script_.png" alt="Downloaded malicious script." width="602" loading="lazy" style="width: 602px; margin-left: auto; margin-right: auto; display: block;" srcset="https://www.uptycs.com/hs-fs/hubfs/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Figure%209_%20Downloaded%20malicious%20script_.png?width=301&amp;name=Figure%209_%20Downloaded%20malicious%20script_.png 301w, https://www.uptycs.com/hs-fs/hubfs/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Figure%209_%20Downloaded%20malicious%20script_.png?width=602&amp;name=Figure%209_%20Downloaded%20malicious%20script_.png 602w, https://www.uptycs.com/hs-fs/hubfs/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Figure%209_%20Downloaded%20malicious%20script_.png?width=903&amp;name=Figure%209_%20Downloaded%20malicious%20script_.png 903w, https://www.uptycs.com/hs-fs/hubfs/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Figure%209_%20Downloaded%20malicious%20script_.png?width=1204&amp;name=Figure%209_%20Downloaded%20malicious%20script_.png 1204w, https://www.uptycs.com/hs-fs/hubfs/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Figure%209_%20Downloaded%20malicious%20script_.png?width=1505&amp;name=Figure%209_%20Downloaded%20malicious%20script_.png 1505w, https://www.uptycs.com/hs-fs/hubfs/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Figure%209_%20Downloaded%20malicious%20script_.png?width=1806&amp;name=Figure%209_%20Downloaded%20malicious%20script_.png 1806w" sizes="(max-width: 602px) 100vw, 602px"></p>
<p>Figure 9: Downloaded malicious script. (<a href="https://f.hubspotusercontent00.net/hubfs/2617658/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Figure%209_%20Downloaded%20malicious%20script_.png" rel="noopener" target="_blank">Click to see larger version.</a>)</p>
<p>The malicious script:</p>
<ol>
<li>using <strong>wget</strong> command, fetches the payload.</li>
<li>gives the execution permission to payload using <strong>chmod</strong> command.</li>
<li><strong>executes</strong> the payload.</li>
<li><strong>removes</strong> the payload.</li>
</ol>
<p>The IP addresses used for fetching the payloads in Figure 9 (above) were generally the open directories where malicious payloads for different architectures were hosted by the attacker (see Figure 10).</p>
<p><img src="https://www.uptycs.com/hs-fs/hubfs/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Figure%2010_%20Malwares%20hosted%20upon%20open%20directory_.png?width=602&amp;name=Figure%2010_%20Malwares%20hosted%20upon%20open%20directory_.png" alt="Malwares hosted upon open directory." width="602" loading="lazy" style="width: 602px; margin-left: auto; margin-right: auto; display: block;" srcset="https://www.uptycs.com/hs-fs/hubfs/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Figure%2010_%20Malwares%20hosted%20upon%20open%20directory_.png?width=301&amp;name=Figure%2010_%20Malwares%20hosted%20upon%20open%20directory_.png 301w, https://www.uptycs.com/hs-fs/hubfs/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Figure%2010_%20Malwares%20hosted%20upon%20open%20directory_.png?width=602&amp;name=Figure%2010_%20Malwares%20hosted%20upon%20open%20directory_.png 602w, https://www.uptycs.com/hs-fs/hubfs/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Figure%2010_%20Malwares%20hosted%20upon%20open%20directory_.png?width=903&amp;name=Figure%2010_%20Malwares%20hosted%20upon%20open%20directory_.png 903w, https://www.uptycs.com/hs-fs/hubfs/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Figure%2010_%20Malwares%20hosted%20upon%20open%20directory_.png?width=1204&amp;name=Figure%2010_%20Malwares%20hosted%20upon%20open%20directory_.png 1204w, https://www.uptycs.com/hs-fs/hubfs/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Figure%2010_%20Malwares%20hosted%20upon%20open%20directory_.png?width=1505&amp;name=Figure%2010_%20Malwares%20hosted%20upon%20open%20directory_.png 1505w, https://www.uptycs.com/hs-fs/hubfs/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Figure%2010_%20Malwares%20hosted%20upon%20open%20directory_.png?width=1806&amp;name=Figure%2010_%20Malwares%20hosted%20upon%20open%20directory_.png 1806w" sizes="(max-width: 602px) 100vw, 602px"></p>
<p>Figure 10: Malware programs hosted upon open directory. (<a href="https://f.hubspotusercontent00.net/hubfs/2617658/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Figure%2010_%20Malwares%20hosted%20upon%20open%20directory_.png" rel="noopener" target="_blank">Click to see larger version</a>.)</p>
<h2>Uptycs EDR detection</h2>
<p><a href="/blog/fast-consolidated-and-context-rich-detections-from-uptycs-will-keep-security-analysts-sane" rel="noopener" target="_blank"><span>Uptycs’ EDR capabilities</span></a><span style="color: #1155cc; text-decoration: underline;">,</span> armed with YARA process scanning, detected both Gafgyt variants with a threat score of 10/10 (see Figure 11, 12).</p>
<p><img src="https://www.uptycs.com/hs-fs/hubfs/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Figure%2011_%20Uptycs%20detection%20for%20Gafgyt%20I_.png?width=602&amp;name=Figure%2011_%20Uptycs%20detection%20for%20Gafgyt%20I_.png" alt="Uptycs detection for Gafgyt I." width="602" loading="lazy" style="width: 602px; margin-left: auto; margin-right: auto; display: block;" srcset="https://www.uptycs.com/hs-fs/hubfs/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Figure%2011_%20Uptycs%20detection%20for%20Gafgyt%20I_.png?width=301&amp;name=Figure%2011_%20Uptycs%20detection%20for%20Gafgyt%20I_.png 301w, https://www.uptycs.com/hs-fs/hubfs/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Figure%2011_%20Uptycs%20detection%20for%20Gafgyt%20I_.png?width=602&amp;name=Figure%2011_%20Uptycs%20detection%20for%20Gafgyt%20I_.png 602w, https://www.uptycs.com/hs-fs/hubfs/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Figure%2011_%20Uptycs%20detection%20for%20Gafgyt%20I_.png?width=903&amp;name=Figure%2011_%20Uptycs%20detection%20for%20Gafgyt%20I_.png 903w, https://www.uptycs.com/hs-fs/hubfs/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Figure%2011_%20Uptycs%20detection%20for%20Gafgyt%20I_.png?width=1204&amp;name=Figure%2011_%20Uptycs%20detection%20for%20Gafgyt%20I_.png 1204w, https://www.uptycs.com/hs-fs/hubfs/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Figure%2011_%20Uptycs%20detection%20for%20Gafgyt%20I_.png?width=1505&amp;name=Figure%2011_%20Uptycs%20detection%20for%20Gafgyt%20I_.png 1505w, https://www.uptycs.com/hs-fs/hubfs/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Figure%2011_%20Uptycs%20detection%20for%20Gafgyt%20I_.png?width=1806&amp;name=Figure%2011_%20Uptycs%20detection%20for%20Gafgyt%20I_.png 1806w" sizes="(max-width: 602px) 100vw, 602px"></p>
<p>Figure 11: Uptycs detection for Gafgyt I. (<a href="https://f.hubspotusercontent00.net/hubfs/2617658/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Figure%2011_%20Uptycs%20detection%20for%20Gafgyt%20I_.png" rel="noopener" target="_blank">Click to see larger version</a>.)</p>
<p><img src="https://www.uptycs.com/hs-fs/hubfs/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Figure%2012_%20Uptycs%20detection%20for%20Gafgyt%20II_.png?width=602&amp;name=Figure%2012_%20Uptycs%20detection%20for%20Gafgyt%20II_.png" alt="Uptycs detection for Gafgyt II." width="602" loading="lazy" style="width: 602px; margin-left: auto; margin-right: auto; display: block;" srcset="https://www.uptycs.com/hs-fs/hubfs/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Figure%2012_%20Uptycs%20detection%20for%20Gafgyt%20II_.png?width=301&amp;name=Figure%2012_%20Uptycs%20detection%20for%20Gafgyt%20II_.png 301w, https://www.uptycs.com/hs-fs/hubfs/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Figure%2012_%20Uptycs%20detection%20for%20Gafgyt%20II_.png?width=602&amp;name=Figure%2012_%20Uptycs%20detection%20for%20Gafgyt%20II_.png 602w, https://www.uptycs.com/hs-fs/hubfs/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Figure%2012_%20Uptycs%20detection%20for%20Gafgyt%20II_.png?width=903&amp;name=Figure%2012_%20Uptycs%20detection%20for%20Gafgyt%20II_.png 903w, https://www.uptycs.com/hs-fs/hubfs/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Figure%2012_%20Uptycs%20detection%20for%20Gafgyt%20II_.png?width=1204&amp;name=Figure%2012_%20Uptycs%20detection%20for%20Gafgyt%20II_.png 1204w, https://www.uptycs.com/hs-fs/hubfs/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Figure%2012_%20Uptycs%20detection%20for%20Gafgyt%20II_.png?width=1505&amp;name=Figure%2012_%20Uptycs%20detection%20for%20Gafgyt%20II_.png 1505w, https://www.uptycs.com/hs-fs/hubfs/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Figure%2012_%20Uptycs%20detection%20for%20Gafgyt%20II_.png?width=1806&amp;name=Figure%2012_%20Uptycs%20detection%20for%20Gafgyt%20II_.png 1806w" sizes="(max-width: 602px) 100vw, 602px"></p>
<p>Figure 12: Uptycs detection for Gafgyt II. (<a href="https://f.hubspotusercontent00.net/hubfs/2617658/Q1%202021-%20Blog%20Post%20Images%20-%20Mirai%20code%20re-use%20in%20Gafgyt/Figure%2012_%20Uptycs%20detection%20for%20Gafgyt%20II_.png" rel="noopener" target="_blank">Click to see larger version</a>.)</p>
<p>Malware authors may not always innovate, and researchers often discover that malware authors copy and re-use leaked malware source code. In order to identify and protect against these kinds of malware attacks, we recommend the following measures:</p>
<ul>
<li aria-level="1">Regularly monitor the suspicious processes, events, and network traffic spawned on the execution of any untrusted binary.</li>
<li aria-level="1">Keep systems and firmware updated with the latest releases and patches.</li>
</ul>
<h2>IOCs</h2>
<p><strong><span style="font-size: 14px;">Hashes</span></strong></p>
<p><em>da20bf020c083eb080bf75879c84f8885b11b6d3d67aa35e345ce1a3ee762444</em></p>
<p><em>1b3bb39a3d1eea8923ceb86528c8c38ecf9398da1bdf8b154e6b4d0d8798be49</em></p>
<p><em>7fe8e2efba37466b5c8cd28ae6af2504484e1925187edffbcc63a60d2e4e1bd8&nbsp;</em></p>
<p><em>25461130a268f3728a0465722135e78fd00369f4bccdede4dd61e0c374d88eb8</em></p>
<p><em>4883de90f71dcdac6936d10b1d2c0b38108863d9bf0f686a41d906fdfc3d81aa</em></p>
<p><em>25461130a268f3728a0465722135e78fd00369f4bccdede4dd61e0c374d88eb8</em></p>
<p><strong>URLs</strong></p>
<p><em>37[.]228[.]188[.]12</em></p>
<p><em>178[.]253[.]17[.]49</em></p>
<p><em>156[.]226[.]57[.]56</em></p>
<p><em>156[.]244[.]91[.]129</em></p>
<p><em>212[.]139[.]167[.]234</em></p>
<p><em>193[.]190[.]104[.]125</em></p>
<p><em>37[.]251[.]254[.]238</em></p>
<p><em>212[.]139[.]167[.]234</em></p>
<p>&nbsp;</p>
<p><a href="https://www.uptycs.com/webinar-registration-going-on-the-attck-versus-fin7-and-carbanak/?utm_source=blog_post&amp;utm_medium=website&amp;utm_campaign=Q1%202021%20MITRE%20ATT%26CK%20Evaluation" rel="noopener"><em><img src="https://www.uptycs.com/hs-fs/hubfs/Q1%20ATT%26CK%20Eval%20Webinar%20-Sales%20Banner%20-%20On%20Demand.png?width=651&amp;name=Q1%20ATT%26CK%20Eval%20Webinar%20-Sales%20Banner%20-%20On%20Demand.png" alt="Join Uptycs on-demand MITRE ATT&amp;CK Evaluation Webinar" width="651" loading="lazy" style="width: 651px;" srcset="https://www.uptycs.com/hs-fs/hubfs/Q1%20ATT%26CK%20Eval%20Webinar%20-Sales%20Banner%20-%20On%20Demand.png?width=326&amp;name=Q1%20ATT%26CK%20Eval%20Webinar%20-Sales%20Banner%20-%20On%20Demand.png 326w, https://www.uptycs.com/hs-fs/hubfs/Q1%20ATT%26CK%20Eval%20Webinar%20-Sales%20Banner%20-%20On%20Demand.png?width=651&amp;name=Q1%20ATT%26CK%20Eval%20Webinar%20-Sales%20Banner%20-%20On%20Demand.png 651w, https://www.uptycs.com/hs-fs/hubfs/Q1%20ATT%26CK%20Eval%20Webinar%20-Sales%20Banner%20-%20On%20Demand.png?width=977&amp;name=Q1%20ATT%26CK%20Eval%20Webinar%20-Sales%20Banner%20-%20On%20Demand.png 977w, https://www.uptycs.com/hs-fs/hubfs/Q1%20ATT%26CK%20Eval%20Webinar%20-Sales%20Banner%20-%20On%20Demand.png?width=1302&amp;name=Q1%20ATT%26CK%20Eval%20Webinar%20-Sales%20Banner%20-%20On%20Demand.png 1302w, https://www.uptycs.com/hs-fs/hubfs/Q1%20ATT%26CK%20Eval%20Webinar%20-Sales%20Banner%20-%20On%20Demand.png?width=1628&amp;name=Q1%20ATT%26CK%20Eval%20Webinar%20-Sales%20Banner%20-%20On%20Demand.png 1628w, https://www.uptycs.com/hs-fs/hubfs/Q1%20ATT%26CK%20Eval%20Webinar%20-Sales%20Banner%20-%20On%20Demand.png?width=1953&amp;name=Q1%20ATT%26CK%20Eval%20Webinar%20-Sales%20Banner%20-%20On%20Demand.png 1953w" sizes="(max-width: 651px) 100vw, 651px"></em></a></p></span></div>
      <div class="topics">
        <span class="label">Tag(s):</span> 
        
      </div>
    </div>
    
    <!-- End Blog Post Body -->
  
    <!-- Blog Post Author -->
    <div class="author">
        <div class="meta">
          <div class="avatar lazy" data-bg="https://f.hubspotusercontent00.net/hub/2617658/hubfs/Siddarth%20Sharma%20Uptycs%20Threat%20Team.jpeg?length=100&amp;name=Siddarth%20Sharma%20Uptycs%20Threat%20Team.jpeg"></div>
        </div>
        <div class="bio">
          <h2 class="name"><a href="https://www.uptycs.com/blog/author/siddharth-sharma">Siddharth Sharma</a></h2>    
          <p>Siddharth Sharma works as a Malware Researcher at Uptycs. He specializes in Malware Analysis and Reverse Engineering on Linux and Windows platforms. He has worked as an Intern at CERT-In. His blogs have been published in well known security magazines.</p>
          <div class="social">
            <span class="label">Connect with the author</span>
            <a class="linkedin" href="https://www.linkedin.com/in/siddhaarth-sharma/" target="_blank" aria-label="LinkedIn"><span class="fab fa-linkedin-in" aria-hidden="true"></span></a>
            
            
            
          </div>
  
      </div>
    </div>
    <!-- End Blog Post Author -->  
  
    
  
  </section>

  <div id="hs_cos_wrapper_u4m-blog-post-primary-tag" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module"></div>
  <div id="hs_cos_wrapper_u4m-blog-post-cards" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module">
  
  
   
  
<section class="u4m-blog-post-cards u4m-blog-post-cards 
 non-sticky 
" style=" ">




<a class="anchor" id="u4m-blog-post-cards"></a>
  
    
      <h2 class="heading">Other posts you might be interested in</h2>
    
  
    <div class="wrapper">
  
      
      
        
        <span id="hs_cos_wrapper_u4m-blog-post-cards_" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_related_blog_posts" style="" data-hs-cos-general-type="widget" data-hs-cos-type="related_blog_posts">
  
        <!--
  templateType: "page"
  isAvailableForNewContent: false
-->


<a class="blog-post-card" href="https://www.uptycs.com/blog/recent-trends-in-malicious-document-techniques-targets-and-attacks">
  <div class="featured-image lazy" data-bg="https://f.hubspotusercontent00.net/hub/2617658/hubfs/malicious-documents-featured-1280x720-2.png?length=360&amp;name=malicious-documents-featured-1280x720-2.png">
  </div>
  <div class="content">
    <div class="topics">
    
      
        
        
          
          
      
        
        
          
          
            
              
                <span class="topic">EDR</span>
              
            
              
            
          
      
    
  </div>
  <div class="read-time">
    
    
    
      <i class="far fa-clock" aria-hidden="true"></i> 9 min read
        <span class="date"> | February 11, 2021</span>
    
  </div>
  <h2 class="title">Recent trends in malicious document techniques, targets, and attacks</h2>
  
  <span class="read-more">Read More</span>
  </div>

</a>
        

  
        <!--
  templateType: "page"
  isAvailableForNewContent: false
-->


<a class="blog-post-card" href="https://www.uptycs.com/blog/discovery-of-simps-botnet-leads-ties-to-keksec-group">
  <div class="featured-image lazy" data-bg="https://f.hubspotusercontent00.net/hub/2617658/hubfs/shutterstock_779097340.png?length=360&amp;name=shutterstock_779097340.png">
  </div>
  <div class="content">
    <div class="topics">
    
      
        
        
          
          
            
              
                <span class="topic">threat research</span>
              
            
          
      
    
  </div>
  <div class="read-time">
    
    
    
      <i class="far fa-clock" aria-hidden="true"></i> 13 min read
        <span class="date"> | May 17, 2021</span>
    
  </div>
  <h2 class="title">Discovery of Simps Botnet Leads To Ties to Keksec Group</h2>
  
  <span class="read-more">Read More</span>
  </div>

</a>
        

  
        <!--
  templateType: "page"
  isAvailableForNewContent: false
-->


<a class="blog-post-card" href="https://www.uptycs.com/blog/cryptominer-elfs-using-msr-to-boost-mining-process">
  <div class="featured-image lazy" data-bg="https://f.hubspotusercontent00.net/hub/2617658/hubfs/shutterstock_1703415496.jpg?length=360&amp;name=shutterstock_1703415496.jpg">
  </div>
  <div class="content">
    <div class="topics">
    
      
        
        
          
          
      
        
        
          
          
            
              
                <span class="topic">threat hunting</span>
              
            
              
            
          
      
    
  </div>
  <div class="read-time">
    
    
    
      <i class="far fa-clock" aria-hidden="true"></i> 16 min read
        <span class="date"> | August 5, 2021</span>
    
  </div>
  <h2 class="title">Cryptominer ELFs Using MSR to Boost Mining Process</h2>
  
  <span class="read-more">Read More</span>
  </div>

</a>
        

</span>
      
  
      
      
  
      
           
    </div>  
  </section></div>
  <div id="hs_cos_wrapper_u4m-subscribe" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module">
  
  
   
  
<section class="u4m-subscribe u4m-subscribe 
 non-sticky 
" style=" ">




<a class="anchor" id="u4m-subscribe"></a>
  
  <div class="inner">
    <div class="left">
      <h2>Subscribe to email updates</h2>
    </div>
    <div class="right">
      <span id="hs_cos_wrapper_u4m-subscribe_blog_subscribe" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_blog_subscribe" style="" data-hs-cos-general-type="widget" data-hs-cos-type="blog_subscribe">
<div id="hs_form_target_u4m-subscribe_blog_subscribe_1"></div>



</span>
    </div>  
  </div>
</section></div>
</main>


    
        <div id="hs_cos_wrapper_u4m-footer" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module"><footer class="u4m-footer">
  <div class="menu">
    <span id="hs_cos_wrapper_u4m-footer_" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_menu" style="" data-hs-cos-general-type="widget" data-hs-cos-type="menu"><div id="hs_menu_wrapper_u4m-footer_" class="hs-menu-wrapper active-branch no-flyouts hs-menu-flow-horizontal" role="navigation" data-sitemap-name="default" data-menu-id="51889433970" aria-label="Navigation Menu">
 <ul role="menu" class="active-branch">
  <li class="hs-menu-item hs-menu-depth-1 hs-item-has-children" role="none"><a href="javascript:;" aria-haspopup="true" aria-expanded="false" role="menuitem">Products</a>
   <ul role="menu" class="hs-menu-children-wrapper">
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="javascript:;" role="menuitem"><span class="header">Attack Surfaces:</span></a></li>
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="https://www.uptycs.com/product/endpoint-security-service" role="menuitem">Endpoints &amp; Server Security</a></li>
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="https://www.uptycs.com/product/container-security-solutions" role="menuitem">Containers &amp; Serverless Security</a></li>
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="https://www.uptycs.com/product/cloud-security-services" role="menuitem">Cloud Security</a></li>
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="javascript:;" role="menuitem"><span class="header">Open Source:</span></a></li>
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="https://www.uptycs.com/product/open-source-cloud-security-solutions" role="menuitem">Cloudquery</a></li>
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="https://www.uptycs.com/product/kubernetes-security-tools" role="menuitem">Kubequery</a></li>
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="https://www.uptycs.com/product/open-source-security-tools" role="menuitem">Osquery</a></li>
   </ul></li>
  <li class="hs-menu-item hs-menu-depth-1 hs-item-has-children" role="none"><a href="javascript:;" aria-haspopup="true" aria-expanded="false" role="menuitem">Solutions</a>
   <ul role="menu" class="hs-menu-children-wrapper">
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="javascript:;" role="menuitem"><span class="header">Category:</span></a></li>
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="https://www.uptycs.com/solutions/security-and-monitoring-for-cloud-workloads" role="menuitem">Cloud Workload Protection Platform</a></li>
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="https://www.uptycs.com/solutions/cloud-security-posture-management" role="menuitem">Cloud Security Posture Management</a></li>
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="https://www.uptycs.com/solutions/endpoint-detection-and-response" role="menuitem">eXtended Detection &amp; Response</a></li>
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="https://www.uptycs.com/solutions/it-asset-inventory" role="menuitem">Insight &amp; Inventory</a></li>
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="https://www.uptycs.com/solutions/it-security-compliance" role="menuitem">Audit, Compliance &amp; Governance</a></li>
   </ul></li>
  <li class="hs-menu-item hs-menu-depth-1 hs-item-has-children" role="none"><a href="javascript:;" aria-haspopup="true" aria-expanded="false" role="menuitem">_</a>
   <ul role="menu" class="hs-menu-children-wrapper">
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="javascript:;" role="menuitem"><span class="header">Audit &amp; Compliance Frameworks:</span></a></li>
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="https://www.uptycs.com/solutions/fedramp-compliance" role="menuitem">FedRAMP</a></li>
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="https://www.uptycs.com/solutions/soc-type-2-compliance" role="menuitem">SOC-2</a></li>
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="https://www.uptycs.com/solutions/cis-compliance" role="menuitem">CIS</a></li>
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="https://www.uptycs.com/solutions/pci-compliance" role="menuitem">PCI</a></li>
   </ul></li>
  <li class="hs-menu-item hs-menu-depth-1 hs-item-has-children active-branch" role="none"><a href="javascript:;" aria-haspopup="true" aria-expanded="false" role="menuitem">Resources</a>
   <ul role="menu" class="hs-menu-children-wrapper active-branch">
    <li class="hs-menu-item hs-menu-depth-2 active active-branch" role="none"><a href="https://www.uptycs.com/blog" role="menuitem">Blog</a></li>
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="https://www.uptycs.com/resources" role="menuitem">Uptycs Resource Center</a></li>
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="https://www.uptycs.com/tools-and-integrations" role="menuitem">Tools &amp; Integrations</a></li>
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="https://www.uptycs.com/free-osquery-training-intro-to-osquery" role="menuitem">Osquery Tutorial</a></li>
   </ul></li>
  <li class="hs-menu-item hs-menu-depth-1 hs-item-has-children" role="none"><a href="javascript:;" aria-haspopup="true" aria-expanded="false" role="menuitem">Company</a>
   <ul role="menu" class="hs-menu-children-wrapper">
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="https://www.uptycs.com/about-us" role="menuitem">About Us</a></li>
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="https://www.uptycs.com/leadership" role="menuitem">Leadership</a></li>
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="https://www.uptycs.com/careers" role="menuitem">Careers</a></li>
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="https://www.uptycs.com/press-coverage" role="menuitem">Press &amp; News</a></li>
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="https://www.uptycs.com/contact-us" role="menuitem">Contact Us</a></li>
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="https://www.uptycs.com/security" role="menuitem">Security</a></li>
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="javascript:;" role="menuitem"><span class="address">404 Wyman Street </span></a></li>
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="javascript:;" role="menuitem"><span class="address">Suite 357</span></a></li>
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="javascript:;" role="menuitem"><span class="address">Waltham, MA 02451</span></a></li>
   </ul></li>
 </ul>
</div></span>
  </div>
  <div class="utility">
    <div class="image"><img loading="lazy" src="https://www.uptycs.com/hs-fs/hubfs/Uptycs%20Logo%20Navigation.png?width=360&amp;name=Uptycs%20Logo%20Navigation.png" width="360" alt="Uptycs Logo Navigation" srcset="https://www.uptycs.com/hs-fs/hubfs/Uptycs%20Logo%20Navigation.png?width=180&amp;name=Uptycs%20Logo%20Navigation.png 180w, https://www.uptycs.com/hs-fs/hubfs/Uptycs%20Logo%20Navigation.png?width=360&amp;name=Uptycs%20Logo%20Navigation.png 360w, https://www.uptycs.com/hs-fs/hubfs/Uptycs%20Logo%20Navigation.png?width=540&amp;name=Uptycs%20Logo%20Navigation.png 540w, https://www.uptycs.com/hs-fs/hubfs/Uptycs%20Logo%20Navigation.png?width=720&amp;name=Uptycs%20Logo%20Navigation.png 720w, https://www.uptycs.com/hs-fs/hubfs/Uptycs%20Logo%20Navigation.png?width=900&amp;name=Uptycs%20Logo%20Navigation.png 900w, https://www.uptycs.com/hs-fs/hubfs/Uptycs%20Logo%20Navigation.png?width=1080&amp;name=Uptycs%20Logo%20Navigation.png 1080w" sizes="(max-width: 360px) 100vw, 360px"></div>
    <div class="social">
      <a href="https://www.facebook.com/uptycs/" target="_blank" aria-label="Facebook"><img src="https://www.uptycs.com/hs-fs/hubfs/uptycs-srw/fb-logo.png?width=72&amp;name=fb-logo.png" width="72" loading="lazy" srcset="https://www.uptycs.com/hs-fs/hubfs/uptycs-srw/fb-logo.png?width=36&amp;name=fb-logo.png 36w, https://www.uptycs.com/hs-fs/hubfs/uptycs-srw/fb-logo.png?width=72&amp;name=fb-logo.png 72w, https://www.uptycs.com/hs-fs/hubfs/uptycs-srw/fb-logo.png?width=108&amp;name=fb-logo.png 108w, https://www.uptycs.com/hs-fs/hubfs/uptycs-srw/fb-logo.png?width=144&amp;name=fb-logo.png 144w, https://www.uptycs.com/hs-fs/hubfs/uptycs-srw/fb-logo.png?width=180&amp;name=fb-logo.png 180w, https://www.uptycs.com/hs-fs/hubfs/uptycs-srw/fb-logo.png?width=216&amp;name=fb-logo.png 216w" sizes="(max-width: 72px) 100vw, 72px"></a>
      <a href="https://www.linkedin.com/company/uptycs/" target="_blank" aria-label="LinkedIn"><img src="https://www.uptycs.com/hs-fs/hubfs/uptycs-srw/li-logo.png?width=72&amp;name=li-logo.png" width="72" loading="lazy" srcset="https://www.uptycs.com/hs-fs/hubfs/uptycs-srw/li-logo.png?width=36&amp;name=li-logo.png 36w, https://www.uptycs.com/hs-fs/hubfs/uptycs-srw/li-logo.png?width=72&amp;name=li-logo.png 72w, https://www.uptycs.com/hs-fs/hubfs/uptycs-srw/li-logo.png?width=108&amp;name=li-logo.png 108w, https://www.uptycs.com/hs-fs/hubfs/uptycs-srw/li-logo.png?width=144&amp;name=li-logo.png 144w, https://www.uptycs.com/hs-fs/hubfs/uptycs-srw/li-logo.png?width=180&amp;name=li-logo.png 180w, https://www.uptycs.com/hs-fs/hubfs/uptycs-srw/li-logo.png?width=216&amp;name=li-logo.png 216w" sizes="(max-width: 72px) 100vw, 72px"></a>
      <a href="https://twitter.com/uptycs?lang=en" target="_blank" aria-label="Twitter"><img src="https://www.uptycs.com/hs-fs/hubfs/uptycs-srw/t-logo.png?width=72&amp;name=t-logo.png" width="72" loading="lazy" srcset="https://www.uptycs.com/hs-fs/hubfs/uptycs-srw/t-logo.png?width=36&amp;name=t-logo.png 36w, https://www.uptycs.com/hs-fs/hubfs/uptycs-srw/t-logo.png?width=72&amp;name=t-logo.png 72w, https://www.uptycs.com/hs-fs/hubfs/uptycs-srw/t-logo.png?width=108&amp;name=t-logo.png 108w, https://www.uptycs.com/hs-fs/hubfs/uptycs-srw/t-logo.png?width=144&amp;name=t-logo.png 144w, https://www.uptycs.com/hs-fs/hubfs/uptycs-srw/t-logo.png?width=180&amp;name=t-logo.png 180w, https://www.uptycs.com/hs-fs/hubfs/uptycs-srw/t-logo.png?width=216&amp;name=t-logo.png 216w" sizes="(max-width: 72px) 100vw, 72px"></a>
      
      
    </div>
  </div>
  <div class="bottom">
    <div class="links"><span class="copyright">© Copyright 2021 </span><span class="utility"> | <a href="https://www.uptycs.com/uptycs-privacy-policy">Privacy Policy</a> </span></div>
  </div>
</footer></div>
    
    
    
<script>
(function () {
    window.addEventListener('load', function () {
        setTimeout(function () {
            var xhr = new XMLHttpRequest();
            xhr.open('POST', '/_hcms/perf', true /*async*/);
            xhr.setRequestHeader("Content-type", "application/json");
            xhr.onreadystatechange = function () {
                // do nothing.
            };
            var connection = navigator.connection || navigator.mozConnection || navigator.webkitConnection;
            function populateNetworkInfo(name, connection, info) {
                if (name in connection) {
                    info[name] = connection[name];
                }
            }
            var networkInfo = {};
            if (connection) {
                ['type', 'effectiveType', 'downlink', 'rtt'].forEach(function(name) {
                    populateNetworkInfo(name, connection, networkInfo);
                });
            }
            var perfData = {
                url: location.href,
                portal: 2617658,
                content: 45093176073,
                group: -1,
                connection: networkInfo,
                timing: performance.timing
            };
            xhr.send(JSON.stringify(perfData));
        }, 3000);  // Execute this 3 seconds after onload.
    });
})();
</script>


<script>
// Stick sharing
document.addEventListener('DOMContentLoaded', function() {

    var Sticky = new hcSticky('#share', {
      stickTo: '.u4m-blog-post',
      top: 100
    });
  
});
</script>

<script>
if (typeof hsVars !== 'undefined') { hsVars['language'] = 'en'; }
</script>

<script src="/hs/hsstatic/cos-i18n/static-1.53/bundles/project.js"></script>
<script src="https://f.hubspotusercontent30.net/hubfs/302335/scripts/jquery-3.5.1.min.js"></script>
<script src="https://cdn2.hubspot.net/hubfs/302335/unified3/libraries/hubspot.search.min.js"></script>
<script src="https://cdn2.hubspot.net/hubfs/302335/unified3/libraries/jquery.nb.offscreenMenuToggle.min.js"></script>
<script src="https://cdn2.hubspot.net/hubfs/302335/unified3/libraries/aos3.min.js"></script>
<script src="https://f.hubspotusercontent30.net/hubfs/302335/unified-assets/lazyload.min.js"></script>
<script src="https://cdn2.hubspot.net/hubfs/302335/unified3/libraries/js.cookie.min.js"></script>
<script src="https://f.hubspotusercontent30.net/hubfs/302335/hc-sticky.js"></script>
<script src="https://www.uptycs.com/hs-fs/hub/2617658/hub_generated/module_assets/51822599800/1631654399539/module_51822599800_u4m-header.min.js"></script>
<script src="/hs/hsstatic/keyboard-accessible-menu-flyouts/static-1.17/bundles/project.js"></script>

      <script>
          function newBreed() {
              console.log('Unified 4 by New Breed' + '\n' + '---' + '\n' + '- Domain = www.uptycs.com' + '\n' + '- Current URL = https://www.uptycs.com/blog/mirai-code-re-use-in-gafgyt' + '\n' + '- URL Slug = blog/mirai-code-re-use-in-gafgyt' + '\n' + '- Portal = 2617658' + '\n' + '---' + '\n' + 'Template' + '\n' + '- Name = blog-post.html' + '\n' + '- Category = normal_blog_post' + '\n' + '- Homepage? = false' + '\n' + '- Landing Page? = ');
          };
          newBreed();
      </script>
  

    <!--[if lte IE 8]>
    <script charset="utf-8" src="https://js.hsforms.net/forms/v2-legacy.js"></script>
    <![endif]-->

<script data-hs-allowed="true" src="/_hcms/forms/v2.js"></script>

  <script data-hs-allowed="true">
      hbspt.forms.create({
          portalId: '2617658',
          formId: '1e2854c3-ada5-486e-bd4e-f38fcabca144',
          formInstanceId: '1',
          pageId: '45093176073',
          region: 'na1',
          
          pageName: 'Mirai code re-use in Gafgyt',
          
          contentType: 'blog-post',
          
          formsBaseUrl: '/_hcms/forms/',
          
          
          inlineMessage: "<p>Thanks for subscribing!</p>",
          
          css: '',
          target: '#hs_form_target_u4m-subscribe_blog_subscribe_1',
          
          formData: {
            cssClass: 'hs-form stacked'
          }
      });
  </script>

<script src="https://www.uptycs.com/hs-fs/hub/2617658/hub_generated/module_assets/51823447380/1632234478653/module_51823447380_u4m-footer.min.js"></script>


<!-- Start of HubSpot Analytics Code -->
<script type="text/javascript">
var _hsq = _hsq || [];
_hsq.push(["setContentType", "blog-post"]);
_hsq.push(["setCanonicalUrl", "https:\/\/www.uptycs.com\/blog\/mirai-code-re-use-in-gafgyt"]);
_hsq.push(["setPageId", "45093176073"]);
_hsq.push(["setContentMetadata", {
    "contentPageId": 45093176073,
    "legacyPageId": "45093176073",
    "contentFolderId": null,
    "contentGroupId": 5593128451,
    "abTestId": null,
    "languageVariantId": 45093176073,
    "languageCode": "en",
    
}]);
</script>

<script type="text/javascript" id="hs-script-loader" async defer src="/hs/scriptloader/2617658.js"></script>
<!-- End of HubSpot Analytics Code -->


<script type="text/javascript">
var hsVars = {
    ticks: 1640298214063,
    page_id: 45093176073,
    
    content_group_id: 5593128451,
    portal_id: 2617658,
    app_hs_base_url: "https://app.hubspot.com",
    cp_hs_base_url: "https://cp.hubspot.com",
    language: "en",
    analytics_page_type: "blog-post",
    analytics_page_id: "45093176073",
    category_id: 3,
    folder_id: 0,
    is_hubspot_user: false
}
</script>


<script defer src="/hs/hsstatic/HubspotToolsMenu/static-1.119/js/index.js"></script>

<!-- Google Tag Manager (noscript) -->
<noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-P663XDQ" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>

      <noscript>
        <img src="https://ws.zoominfo.com/pixel/6127ecc2d037650015c31617" width="1" height="1" style="display: none;">
      </noscript>
    

<!-- End Google Tag Manager (noscript) -->
<script src="https://my.hellobar.com/c42c9a8680c89010c1c5214aa9b2bbbca8b38118.js" type="text/javascript" charset="utf-8" async> </script>





</body></html>